TYPO3 v14 LTS on Ubuntu 24.04 on Azure User Guide
Overview
TYPO3 is an enterprise, open source content management system used to run large, multilingual, multisite websites with granular editorial permissions, reusable content and long term support. It is favoured by agencies, universities and public sector organisations that need governed content and predictable release cycles.
The cloudimg image installs TYPO3 v14 LTS with Composer from the official packagist channel, alongside Apache 2.4, MySQL 8.0 and PHP 8.3 — all from the Ubuntu 24.04 noble universe (no third party APT repositories). The backend is served only over HTTPS: Apache terminates TLS on port 443 with a per VM self signed certificate and port 80 redirects to it, so the TYPO3 backend always runs in a secure context. At first boot the image rotates the MySQL root password, the typo3 database user password and the cloudimg backend administrator password, writing them to a root only credentials file. Nothing is baked into the image with a known or blank password.
What is included:
- TYPO3 v14 LTS (
typo3/cms-base-distribution) at/var/www/typo3, document root/var/www/typo3/public - Apache 2.4.x with mod_ssl, mod_rewrite and mod_headers; vhost at
/etc/apache2/sites-available/typo3.conf - Self signed TLS certificate on port 443, HTTP to HTTPS redirect on port 80
- MySQL 8.0.x with a
typo3database andtypo3MySQL user (per VM password) - PHP 8.3.x with the mysqli, gd, mbstring, xml, zip, intl and curl extensions
typo3-firstboot.servicerotating all secrets and runningtypo3 setupat first boot- The
cloudimgbackend administrator account (per VM password, no default login) - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet with a subnet. Standard_B2s (2 vCPU, 4 GB RAM) is sufficient for evaluation and low to medium traffic sites; move to a D2s/D4s size for production sites with heavy editorial use or many extensions.
Step 1: Deploy the image
Launch a VM from the cloudimg TYPO3 offer in your target region. Open port 443 (HTTPS) and port 22 (SSH) to your management address in the network security group. Assign a public IP so you can reach the backend.
Step 2: Connect over SSH
ssh azureuser@<vm-ip>
Step 3: Confirm TYPO3 and the stack
Check the TYPO3 version, that Apache and MySQL are active, and that the HTTP, HTTPS and MySQL listeners are up.
cd /var/www/typo3 && sudo -u www-data php vendor/bin/typo3 --version
systemctl is-active apache2 mysql
sudo ss -tlnp | grep -E ':(80|443|3306) '
php -v | head -1

Step 4: Confirm the HTTPS backend
The TYPO3 backend is served over TLS on port 443. Port 80 issues a 301 redirect to HTTPS. The certificate is a per VM self signed certificate, so pass -k when testing locally.
curl -k -s -o /dev/null -w 'backend https /typo3/ -> HTTP %{http_code}\n' https://127.0.0.1/typo3/
curl -s -o /dev/null -w 'http / -> HTTP %{http_code} (redirect to https)\n' http://127.0.0.1/
echo | openssl s_client -connect 127.0.0.1:443 2>/dev/null | openssl x509 -noout -subject -dates

Step 5: Retrieve your per VM credentials
Every secret is generated on first boot and stored in a root only file (mode 0600). Read it to get the backend administrator password and the backend URL.
sudo cat /stage/scripts/typo3-credentials.log
Pick up TYPO3_ADMIN_USER, TYPO3_ADMIN_PASSWORD and TYPO3_BACKEND_URL from the file.

Step 6: Verify the backend administrator
Confirm the cloudimg backend administrator was created and that the typo3 database user authenticates. This reads the database password from the root only credentials file.
DBPASS=$(sudo grep '^TYPO3_DB_PASSWORD=' /stage/scripts/typo3-credentials.log | cut -d= -f2-)
sudo mysql -utypo3 -p"$DBPASS" typo3 -e "SELECT uid, username, admin FROM be_users WHERE deleted=0"

Step 7: Sign in to the TYPO3 backend
Browse to https://<vm-ip>/typo3/. Your browser will warn about the self signed certificate — accept it to continue, or install your own certificate (see the notes below). Sign in with cloudimg and the TYPO3_ADMIN_PASSWORD from Step 5.

After signing in you land on the TYPO3 dashboard, which shows system information and quick links into the backend.

Step 8: Manage content
Open Web > Page to work with the page tree. The image ships a root page and a Home page ready for you to build on.

Open Web > List to browse the records on a page, including pages and backend users.

HTTPS and certificates
The image generates a per VM self signed certificate at first boot with the VM public IP as the common name. For a production site, replace it with a certificate from your own authority (for example a Let us Encrypt certificate for your domain) by updating the paths in /etc/apache2/sites-available/typo3.conf:
sudo ls -l /etc/ssl/typo3/
Point SSLCertificateFile and SSLCertificateKeyFile at your certificate and key, then run sudo apachectl configtest && sudo systemctl reload apache2.
Security notes
- No default login. The
cloudimgbackend administrator password, thetypo3database password and the MySQL root password are all generated uniquely per VM at first boot. No credential is shared between deployments. - Root only secrets.
/stage/scripts/typo3-credentials.logis mode 0600, owned by root. Rotate the backend administrator password from Admin Tools > Backend Users after first sign in and delete the file if you wish. - Trusted hosts. The image accepts any Host header so it works on any IP or hostname out of the box. For production, narrow
SYS/trustedHostsPatternin/var/www/typo3/config/system/additional.phpto your domain.
Staying current
TYPO3 v14 is a Long Term Support release. Apply security and maintenance updates within the LTS line with Composer:
cd /var/www/typo3 && sudo -u www-data composer update "typo3/*" --with-dependencies --no-interaction
The underlying OS receives unattended security updates automatically.
Support
This image is backed by 24/7 cloudimg support. TYPO3 is licensed under GPL-2.0-or-later.